Project maintainer can escalate to Project owner using project access token rotate API
HackerOne report #2058934 by ashish_r_padelkar
on 2023-07-09, assigned to @nmalcolm:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
Project Access tokens can be created at https://gitlab.com/<NameSpace>/<ProjectName>/-/settings/access_tokens
. Project owner can create project access token with OWNER
role where as Project maintainer can create upto Maintainer
role only.
Also, once PAT (Project access token) is created, its visible only while creating . If project owner creates PAT with OWNER role, maintainer wont be able to see the token so they can not use the token of owner scope which works correctly.
However, using rotate API of the PAT, maintainer can see generate the new token which will have owner role as token was by project owner previously.
Steps to reproduce
1.Login as a project Owner
and go to https://gitlab.com/<NameSpace>/<ProjectName>/-/settings/access_tokens
.
2.Create a new token with Owner
role and API
scope.
3.Now login as maintainer of the same project and go to https://gitlab.com/<NameSpace>/<ProjectName>/-/settings/access_tokens
. You see that project owner has created a PAT but you can just see the name of the token , its role and scope but cant see the token itself.This means you cant use the token that has higher scope than your role which is working correctly and as expected.
4.Now create your personal access token here https://gitlab.com/-/profile/personal_access_tokens
with API scope.
5.Visit https://gitlab.com/api/v4/projects/<ID>/access_tokens/
and note the ID of the PAT created by project owner.
6.Now replace these values in below curl request.
curl --request POST --header "PRIVATE-TOKEN: glpat-YourpersonalToken" "https://gitlab.com/api/v4/projects/<ProjectID>/access_tokens/<PAT_ID>/rotate"
7.You see that you rotated the Project access token created by project owner and you see the value of new token in response with ROLE as 50
which means project owner.This means you can use this new token with project Owner role as project maintainer and escalate your privileges.
What is the current bug behavior?
Maintainers can use PAT rotate API to generate new token which may have owner role and escalate their privileges.
What is the expected correct behavior?
If PAT has owner role then only project owners should be able to rotate the PAT.
Output of checks
This bug happens on GitLab.com GitLab Enterprise Edition 16.2.0-pre e124cf77951
Regards,
Ashish
Impact
Project maintainer can escalate to Project owner using project access token rotate API.
Project Owner has more capabilities then Maintainers , hence confidentiality and integrity rated as high in CVSS
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section:
Proposal
See #418878 (comment 1475837442) for the desired behaviour for PrAT/GrAT and service account rotation behaviour